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Abstract: Nowadays we are faced with an increasing popularity of social 
software including wikis, blogs, micro-blogs and online social networks such 
as Facebook and MySpace. Unfortunately, the mostly used social services are 
centralized and personal information is stored at a single vendor. This results in 
potential privacy problems as users do not have much control over how their pri- 
vate data is disseminated. To overcome this limitation, some recent approaches 
envisioned replacing the single authority centralization of services by a peer- 
to-peer trust-based approach where users can decide with whom they want to 
share their private data. In this peer-to-peer collaboration it is very difficult to 
ensure that after data is shared with other peers, these peers will not misbehave 
and violate data privacy. In this paper we propose a mechanism that addresses 
the issue of data privacy violation due to data disclosure to malicious peers. In 
our approach trust values between users are adjusted according to their previ- 
ous activities on the shared data. Users share their private data by specifying 
some obligations the receivers must follow. We log modifications done by users 
on the shared data as well as the obligations that must be followed when data 
is shared. By a log-auditing mechanism we detect users that misbehaved and 
we adjust their associated trust values by using any existing decentralized trust 
model. 

Key-words: trust, privacy, peer-to-peer collaboration, log-auditing 
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Une approche reposant sur l'audit pour la gestion 
de la confiance dans la collaboration pair-a-pair 

Resume : Depuis quelques annees nous assistons a une explosion de la popu- 
larite des logiciels sociaux comme les wikis, les blogs, les micro-blogs ou encore 
les reseaux sociaux tels que Facebook et MySpace. Malheureusement, les plus 
usites de ces services reposent tous sur un controle centralise ; les donnees d'un 
utilisateur se retrouvant centralisees chez un seul fournisseur de service. Cela 
engendre indeniablement un probleme de confidentialite puisque les utilisateurs 
n'ont plus le controle sur la maniere dont leurs propres donnees sont diffusees. 
Ann de surpasser ces limitations, plusieurs approches recentes proposent de 
remplacer le controle centralise de ces services par des approches pair-a-pair 
reposant sur des mecanismes de confiance ou chaque usager decide avec qui il 
souhaite partager ces donnees personnelles. Toutefois, dans ce genre de collab- 
oration, il est tres difficile de s'assurer qu'une fois une donnee partagee avec 
des pairs, celle-ci ne soit pas divulguee a d'autres pairs non autorises. Dans cet 
article, nous proposons un mecanisme qui permet de circonscrire les problemes 
de violation de confidentialite lies a la divulgation de donnees par des pairs 
malicieux. Dans notre approche, les indices de confiance entre les usagers sont 
ajustes selon le comportement passe des usagers vis-a-vis des donnees partagees. 
Lorsqu'un usager partage des donnees, il impose aux autres usagers des oblig- 
ations qu'ils doivent respecter. Chaque modification sur une donnee partagee 
effectuee par un usager et chaque obligation est repertories dans un journal. En 
realisant un audit de ce journal, notre approche detecte les usagers qui se sont 
mal-comportes et ajuste en consequence leurs indices de confiance. 

Mots-cles : confiance, confidentialite des donnees, collaboration pair-a- 
pair, audit 
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1 INTRODUCTION 

Social software including wikis, blogs, micro-blogs and social networks has 
emerged as a new interpersonal communication form. Existing micro-blogging 
services such as Twitter and social networks such as Facebook or MySpace have 
millions of users using them everyday. While these social services offer many at- 
tractive functionalities, they require storing personal information in the hands of 
a single large corporation which is a perceived privacy threat. Users are obliged 
to provide and to store their data to vendors of these services and to trust that 
they will preserve privacy of their data, but they have little control over the 
usage of their data after sharing it with other users. These corporations could 
produce a profile based on the individual behavior and therefore detrimental 
decisions to an individual may be taken. Moreover, due to large amounts of 
information these social services sites process every day, a single flaw in the 
system could permit retrieval of large parts of personal data. For instance on 
Facebook features such as messages, invitations and photos help users gain ac- 
cess to private information. Moreover, flaws in the Facebook's third-party API 
have been found which allow for easy theft of private information. 

Some recent approaches such as [5] proposed moving away from centralized 
authority-based collaboration towards a peer-to-peer trust network where users 
have full control over their personal data that they store locally and can decide 
with whom to share their data. Users define their network of trust containing 
people that they trust and with whom they wish to collaborate. These peer-to- 
peer networks of trust overcome the disadvantages of centralized architectures by 
offering a good scalability and fault-tolerance and the possibility of sharing costs 
of administration. In a peer-to-peer collaboration model rather than having a 
central authority which has access to all users personal data, control over data 
is given to users. Therefore, the risk of privacy breaches is decreased as well as 
only a part of the protected data in the peer-to-peer network may be exposed at 
any time. However, in this peer-to-peer collaboration it is very difficult to ensure 
that after data is shared with other peers, these peers will not misbehave and 
violate data privacy. To prevent data misuse, trust management mechanisms 
are used where peers are assigned trust values and a peer collaborates only with 
high trusted peers. However, to our knowledge, there exists no approach that 
automatically updates trust values according to peers misbehavior. 

In this paper we propose an approach of log auditing for computing trust 
in a peer-to-peer environment according to respecting obligations peers receive 
from other peers concerning their private data. We also propose a novel audit- 
based compliance control approach suited for distributed collaborative envi- 
ronments where obligations are checked a-posterior and not enforced a-prior. 
This approach in which usage policies are checked posteriorly is different from 
prior-checked access control mechanisms. Rather than requiring a hard security 
mechanism, our solution uses a trust-based approach that is more flexible for 
users. 

The rest of this paper is organized as follows. Section [5] is an overview of 
Peer-to-Peer trust. Section[3]presents our log auditing approach in decentralized 
systems. Then we describe the formal structure of log in Section [U In Section 
[5] we present a discussion on obligations that are associated to logs. Section 
[5] describes the mechanism for local trust assessment with algorithm analysis. 
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Section [7] compares our approach with related works and Section [S] presents 
concluding remarks and directions of future work. 

2 PEER TO PEER TRUST OVERVIEW 

Peer-to-peer underlying architectures reflect society better than other types of 
computer architectures [3], being better adapted to the way people think and to 
user's needs for knowledge sharing and providing users more freedom to interact 
with each other. In this peer-to-peer collaboration model, it is very difficult to 
ensure data privacy. According to [20] . data privacy is the right of individuals 
to determine for themselves when, how, and to what extent information about 
them is communicated to others. A peer shares his private data only with peers 
that he trusts, so, privacy of data is preserved for a direct connection with a 
peer. But the main issue refers to what happens to data released to authorized 
persons, i.e how the user may, must and must not use it. This issue is called 
usage control [T51 S] and is modeled by means of certain obligations that users 
receive together with data. 

Trust is a belief or confidence in the honesty, goodness of a person or or- 
ganization. In [19] a classification of trust models is given. A trust level is an 
assessment of the probability that a peer will not cheat. An honest peer will be 
assigned a high trust level while a malicious peer will be assigned a low trust 
level. These trust levels are updated according to the peer's behavior. If a peer 
misbehaves, its trust level is decremented. The solution that we propose in this 
paper for adjusting trust levels of peers according to their behavior is general 
and could be combined with any existing reputation mechanism. 

In order to present an overview of our approach let us consider an example 
in the domain of data sharing in a social network. Suppose Alice creates a 
document and she wants to share it with different friends, say Bob and Carol. 
She shares it to Bob with a certain right to modify it. It is very difficult to 
enforce Bob to follow that policy in a decentralized environment. Bob can do 
any action on the document once received it. There is no way for Alice to 
guarantee Bob will not misbehave on the document after it has been shared. In 
our approach we propose a mechanism logging past actions of users concerning 
shared data. Bob's actions will be logged by the system. Alice will never know 
what Bob has done with her data if Bob only keeps the log locally. But his log 
of local edit actions will be disclosed to whom he continues to re-distribute data. 
If Carol receives the document, she can check the log to know what actions that 
Alice and Bob did. 

Our system does not aim to prevent fraud. Rather, the log mechanism 
provides audit capabilities in order to detect attempts at fraud after the data 
has been shared and used. The local actions on data and the communications 
between peers are assumed to leave some evidence and hence are observable. 
The owner attaches a usage policy to the data in order to specify what actions 
are allowed and under which conditions. According to this a-posterior checking, 
user trust values are updated with a decrement. For checking compliance to 
obligations, we audit the log containing modifications done by users on the 
shared data as well as the obligations that must be followed. Each user evaluates 
trust on other users and keeps trust values locally instead of storing them at 
a central authority. Trust values help users decide to collaborate or not with 
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other users. These values are updated after each posterior checking of the log 
for detection of misbehaved users. We can use any trust model for updating 
trust values. To our knowledge, our approach is the only one that addresses 
data privacy violation by discovering malicious users and updating user trust 
values. 

3 LOG AUDITING APPROACH 

Our system consists of a group of communicating peers. Each peer has its own 
workspace. These peers collaborate together in creating and sharing data in a 
decentralized environment where no central administration point exists. Users 
are administrators themselves. 

The local edit actions and communication actions among peers are logged by 
the system in edit log and communication log. Each user keeps locally one edit 
log and one communication log. When a user shares the document with others, 
logs and usage policies will be associated with the document. The policies are 
specified in communication log. Initially, the log is empty, but after certain 
iterations, as observations are made, the log will grow up. The logs are created 
under the following assumptions: 

o Logs are created automatically by system and they are unalterable. This 
assumption is practical. In reality, logs could be changed but there are 
some techniques as in [5] to detect or avoid log modification. 

o It is required that at least one obligation is given in a sharing action. In 
collaboration, when the document is sent back to previous sender, it is not 
required to re-define new obligations. 

o The occurring order of events stored in logs is maintained by logical clock 

tm- 

In a collaboration-based system, users are expected to behave correctly, but 
they might be suspected of incorrect behaviors. A user violates an obligation 
if he performs actions which are not permitted in usage policies. We update 
decremently their trust values each time violations are detected. The trust value 
for well-behaved peers is higher than the trust value for malicious peers. A peer 
has initial trust values associated with other peers. They are calculated and 
adjusted after each log analysis. 

Log auditing consists in the analysis of both edit and communication logs. 
Each time the user receives different versions of a same document, the system 
automatically analyzes the logs in order to judge the past behaviors of other 
users. An important point in checking past behaviors is to detect mismatching of 
actions and obligations them. Next, the received logs that include past actions 
and obligations are checked to be merged with current local logs. If the logs 
should be merged, both document edit logs and communication logs are merged. 
In addition to merging obligations, conflict resolution between rights is required. 

4 LOG STRUCTURE 

In this section, we present the structure of logs and give an example to illustrate 
how logs are created and stored locally at sites of peers. 
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Definition 1. An event is denoted as e = a s r where a represents an action 
that can be either a local action on document or a communication action, and 
r represents parameters which are in form of pair of name and value. The 
notation s has the temporal meaning for an event, in which s = — 1 represents 
the actual event that a user performed while s = +1 represents the obligation 
event he has to follow. 

Similar to event structure in Z language |16) . each event in our log is com- 
posed of an action or an obligation and several parameters. For instance, 
sharej by p ^ r t0 p ^ is an event of sharing the document from P\ to P2 (Pi shared 

document to Pa) while share^ y pi r to pi is an obligation P\ gives to P2 (Pa 
can share the document). 

Definition 2. A log is composed of a time-ordered sequence of pairs (logical 
clock, event): [(a, ei), (c 2 , e 2 ),..., (c m , e m )}. 

For ordering events we use the logical clock with happened_ before relation 
among events. Event e\ is ordered before event e 2 if &\ happened before e 2 . 
The system of each site maintains a counter that is incremented each time an 
event is generated at that site. Each event is assigned the value of the counter 
at the moment of its generation. This counter called also logical time Cj is 
simply used to order events according to their order of occurrence. The logical 
clock of obligations of sender is replaced by the new logical clock of receiver 
according to the order when he receives the document. This helps checking if 
events generated by a user conform to obligations previously received. We can 
track backward the logical clock value assigned to obligation by sender through 
the logical clock value of share event. From the logical clock of share action, we 
know when such obligation events are shared by the sender. 




share' 1 comment +1 share +1 (21 



' js/iare' 1 read (1) 

Figure 1: Logs for 3 peers collaboration, edit actions are inside dash box and 
communication actions are inside line-box. Only local edit actions of each peer 
and obligations are showed in this figure. 

Consider an example of sharing data in a distributed peer to peer social 
network. Users can share photos, videos or music documents between them 
and add comment to these documents (but they can not modify the content 
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of these documents). The obligations could be: "may read", "may not read", 
"may add comment", "may not add comment", "may delete comment", "may not 
delete comment", "may share", "can not be shared". Figure 1 shows an example 
of three peers Pi, P2, P3 sharing photos. Let P\ be the creator of data d. P\ 
shares d with P 2 , and then P 2 shares it with P 3 . In parallel, Pi shares the same 
data directly to P 3 . The logs of actions (edit log lp x - e dt and communication log 
lp x -com) are created locally at peers as follows: 

1. At the local site, Pi creates document d for which he adds a comment 
and shares this document with P 2 with the usage obligation " may read", 
"may share further". Logical clock starts from 1. 

Ipj-edt.d = {(1, cr eate^ y Pi} ), (1, comment^ Pi} )]; 
Ipj-com.d (with P 2 ) = [(2,share^ y Pi} {to P2} ), 
(2, read^ y Pi y {to P2 y), (2, share^p^^p^), 
(2,not comment+i y Pi} {to p 2} )} 

2. P 2 receives document d with associated logs and adds a comment to this 
document. The edit log will be updated continuously. Note that the logical 
clock of obligations in communication log is updated to the value of the 
local logical clock at the site P 2 . Note also that P 2 received document 
d with the permission of reading it and sharing it further, but without 
the permission of commenting it. However he did the comment action, 
therefore, P 2 violated the received obligation. 

lp 2 -com,d = [(2, S f lare {by,P 1 },{to,P 2 }^ rea ^{by,P 1 },{to,P 2 }^ 

{l,share+^ Pi] {to p 2] ), (l.not comment^ Pi} {to P2} )} 

Ip 2 -edt,d = [( 1 ) create {6 1 !/ ,p 1 }) ; (Mon-imerii^ Pi} )] U 
[(2, read^ p^), (2, comment^ p 2} )]; 

3. After sending to P 2 , Pi adds another comment to document d and re-sends 
to P 2 this document with obligation "may add comment". The logical clock 
of Pi is increased after each action. Pi also shares data with P 3 with the 
same obligation "may add comment". 

Ipj-edt.d = {(1, cr eate^ Pi} , (1, comment^ Pi} ), 
(3, comment^ Pi} )}; 

lPi-com^d (with P 2 ) = [{2,share-^ v p i} {to p 2} ), 
(2, read^ y Pi y^ to p 2 y), (2, share^p^^p^), 
(2,not comment+^ y p i} {to p 2} ), 

(4, share^y p^ ^ p^), (4, comment^ Pi} {to p 2} )} 
lPi-com^d (with P 3 ) = [(5,share^ y Pi} {to p 3} ), 
(h,comment + ^yp i}{to p 3)} )]. 
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4. Pi receives document d again from Pi and then shares it with P3 with the 
obligation "not share" to do not share further the document. The edit log 
of Pi is updated to include the last action done by P\ of commenting the 
document. 

lp 2 -com,d (local) = [(2,share^ y Pi}!{to P2} ), 
(l,read^ y Pi y^ to P2 y), (1, share^ yP ^ { to p 2 }), 
(l.noi comment+^ y Pi} {to P2} )] 

U l{4,share^ y Pi} {to P2} ), (3, comment^^ {to Pa} ) 
lp 2 -edt,d = [1, create^ y Pi} , (l,commen^ Pi} )] 
U [(2,rea^ P2} ), (2, comment ^,p 2 })] u 
[(3, comment^ _ Pi} )] 

lp 2 -com,d (with P3) = lp 2 com.d 

(local) U 

[(^s/tare^ p^ ^ ^p^^noi s/iare+J, Pa} {to Ps} )]. 

5. At local site of P 3 , suppose that P 3 receives document d from Pi before 
receiving it from Pi. The local communication log of P3 is obtained by 
merging lpj^convd (with P3) computed at step 3 with lp 2 - C om.d (with 
P 3 ) computed at step 4. 

lp 3 -com,d = [(5, share^ by p ^ ^ to Ps y), 

(l,comment^ y Pi} {to P3} )} U lp 2 - C om (local) 

U [(^share^ y P2} {toP3} ), {2,not share+^ P2} {toP3} )} 

lp 3 -edt,d = lp 2 -edt,d 

In order to detect cheaters, each peer analyzes the received logs. A user with 
actions that do not conform to obligations is considered as a cheater. In the 
above example, P 3 detects the violation of action comment of Pi in lp 2 ~ e dt- 

5 OBLIGATIONS 

Collaborating in a distributed system makes a user possible to receive document 
from many collaborators. In the previous example P3 receives the same docu- 
ment from Pi and Pi. P3 will update document based on the received changes 
under certain obligations. Up on the obligations, the system decides to accept 
or reject the new copies of data. 

When a user receives different obligations, the conflict between obligations 
may occur. An obligation conflict means the subjects are both required and 
required not to perform the same actions on target objects. In multi-policies 
environment, it is possible that one policy overrides another. Conflict detection 
should be performed in order to decide which usage policy is performed and 
which is ignored. Moreover, in case a user receives a set of obligations instead 
of a single obligation, the conflict may occur between sets. Two sets are in 
conflict if they contain at least one conflict between two single obligations. One 
of the solution to avoid conflict is giving priority to certain obligations. 
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Obligations can be ordered based on the ability they offer to work on data. 
We denote two obligations ax, a% that ct\ > ct2 if ct\ has more ability to work on 
document than ai. For example add— comment > read and share > not share. 
The comparison of two sets of obligations can be performed based on comparing 
each single obligation belonging to the two sets. For example, [add — comment, 
share] > [not add — comment, share]. 

With the approach using obligations in sharing document, if some obligation 
is not specified, for example, neither share nor not share is given, peers can 
do the actions as they want without any violation, e.g they can either share or 
not share the document. 

In obligation-based collaborating systems, the more user respects obliga- 
tions, the more trust he gains, and the more possibility others want to collabo- 
rate with him. 

Unlike single centralized system, in distributed P2P application, peers are 
faced with conflicts between rights and obligations referring to the same docu- 
ment, but also between changes on the same document. When a peer receives 
many copies of the same document, it analyzes the associated logs in order to 
assess the local trust values of other peers who collaborated on copies. After- 
ward that peer checks for merging the logs and the document. If the obligations 
permit that peer to get the changes on document, a merge algorithm is per- 
formed. Due to space limitation, we do not present in this paper our algorithms 
related to merging document and ordering rights and obligations. 

6 TRUST ASSESSMENT 

In our decentralized system, each peer evaluates trustworthiness of other peers 
based on its experience. During collaboration between peers, trust values are 
adjusted mainly upon the result of log analysis. Checking a log is a basic 
mechanism to detect cheaters and help to predict the probability that they will 
continue cheat in future actions. 

We denote T p ° 9 (Pj) as the trust value that a peer Pj evaluates and assigns 
to peer Pj . In order to manage trust values for peer Pj , we can use any existing 
decentralized trust model. The trust values are initially assigned a default value 
by system. 

The algorithm [1] takes as input linear logs (edit log and communication log). 
This is a local algorithm that peers can apply in order to determine trust on 
other peers over the collaborative network. The peer Pi updates value Tp 9 (Pj) 
for peer Pj based on the result of log analysis. 

All peers are set the highest trust value at the beginning [max _trust _value) . 
In order to detect misbehaviors, peer's actions are considered violating the obli- 
gations if there is one right or obligation which not permit to do that action. 
With each event in log, parameter (by, Pi) helps extracting the user Pi who per- 
formed the action. We consider action is made by Pi at logical time c. If Pi is 
the creator of the document, it has full rights to do any action on the document, 
therefore, no need to check for its obligation. In case Pi has received the docu- 
ment from another peer, we will check for its actions to compare with the given 
obligations. The obligations are kept as a special "event" in communication 
log (c, (&)*) with s = +1. We extract parameter (to,Pj) from this "event". If 
Pj = Pi and the logical clock value Cj when obligation was received is less than 
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Algorithm 1: LOCAL-TRUST- ASSESSMENT 
Input: The edit log l edt and the communication log l CO m, the document d, user 

A who assessing trust. 
Output: T l A 3 {Pi) for each P % that appears in logs, 
begin 

for each (c, e = (a)") with s — —1 do 
misbehaved = FALSE; 
extract a, Pi in {by, Pi} from r; 
T l £ g (Pi) = max _trust _value; 
if Pi is not the creator of d then 

k = lengthO f (Icom); 

checked = FALSE; 

while (k>l) and (checked = FALSE) do 
get (c k ,e k = (&)£)€ Icom ; 
extract b, Pj in {to, Pj } from e k ; 
if (s = +1) and (Pj — Pi) and (cu < c) then 
if (?) = not a J then 

misbehaved = TRUE; 
checked = TRUE; 
end 
end 

k = k-l; 
end 

if (misbehaved = TRUE) then 

adjust decemently trust value T 1 ^ 3 (Pf) based one specific trust 
model; 
end 
end 
end 
end 



logical clock value Cj when action was performed, that action is considered valid. 
As the logical clock of obligation is transformed from sender's to receiver's, we 
can check whether an action was done before or after a peer received the corre- 
sponding obligation. It should be noticed that rights or obligations are possible 
to be overridden and the latest ones are taken in account in our algorithm only. 

When an assessed peer Pj is detected as a cheater, its local trust value is 
decremented by assessing peer Pj. The local trust values could be aggregated 
from log-based trust, reputation or recommendation trust. That depends on 
the trust model being used. Research on the trust models is out of scope of this 
paper. 

Our algorithm serves for trust assessment by using logs. The violation in 
case a cheating user copies the content of document to create a new one, then 
claims him as owner can not be detected by using log auditing itself. However, 
communication log could be used to discover the history actions on document 
that helps to detect cheaters. 
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7 Related Work 

In this section we first compare our work with some approaches that address data 
privacy in peer-to-peer systems. Then we continue by describing and comparing 
our proposed mechanism with other approaches that use some related solutions 
to our approach but in different contexts. 

In order to return data ownership to users rather than to a third party cen- 
tral authority, some recent works [2J [5T| explore the coupling between social 
networks and peer-to-peer systems. In this context privacy protection is under- 
stood as allowing users to encrypt their data and control access by appropriate 
key sharing and distribution. Our approach is complementary to this work and 
refers to what happens to data after it has been shared. 

Another approach that addresses data privacy violation in peer-to-peer en- 
vironments is Priserv [5], a DHT privacy service that combines the Hippo- 
cratic database principles with the trust notions. Hippocratic databases en- 
force purpose-based privacy while reputation techniques guarantee trust no- 
tions. However, this approach focuses on a database solution, being limited to 
relational tables. Moreover, as opposed to our solution, the Priserv approach 
does not propose neither a mechanism of discovering the malicious users that 
do not respect the obligations required for using the data nor an approach for 
updating the trust values associated to users. 

OECD (Organization for Economic Cooperation and Development) defined 
basic privacy principles including: collection limitation, data quality, purpose 
specification, use limitation, security safe, openness, individual participation, 
accountability. We consider data privacy in collaborative working from the 
point of use limitation that users will specify how their data may and may not 
be used. We consider the decentralized system which documents are exchanged 
and shared among users. When a user receives a document, he is expected to 
work on the document by respecting obligations. The log mechanism is used 
to detect cheaters who do not respect their obligations. Unlike access control 
which is concerned with granting access to sensitive data based on conditions 
that relate to past or present, obligation which impose conditions on the future 
is concerned with commitments of the involved users. At the moment access 
is granted to data, adherence to these commitments cannot be ensured. The 
formal framework in [5] allows specification of obligations. They present dif- 
ferent mechanisms for checking adherence to commitments. However, all their 
proposed solutions are based on a central reference monitor that can ensure 
that data protection requirements are adhered to. As opposed to our approach, 
these solutions are not suitable for peer-to-peer environments where there is no 
central authority. 

Keeping and managing event logs is frequently used for ensuring security and 
privacy. This approach has been studied in many works. In [7J, a log auditing 
approach is used for detecting misbehavior in collaborative work environments, 
where a small group of users share a large number of documents and policies. In 
[TUlll7j . a logical policy-centric for behavior-based decision- making is presented. 
The framework consists of a formal model of past behaviors of principals which 
is based on event structures. However, these models require a central authority 
to audit the log to help the system making decisions and this is a limitation for 
using these models in a fully decentralized environment. 
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Trust management is an important aspect of the solution that we proposed. 
The concept of trust in different communities varies according to how it is 
computed and used. Our work relies on the concept of trust which is based on 
past encounters: "Trust is a subjective expectation an agent has about another's 
future behavior based on the history of their encounters" [12J. Various trust 
models for peer to peer systems exist such as NICE model [T5], EigenTrust model 
[5] and global trust model pQ and our mechanism for discovering misbehaved 
users can be coupled with any existing trust model in order to manage user 
trust values. 

8 Conclusion 

Our vision is to replace central authority-based social software collaboration 
with a distributed collaboration that offers support for decentralization of ser- 
vices. In this context, our paper addressed the issue of data privacy violation 
due to data disclosure to malicious peers in a peer-to-peer collaboration. In 
our collaboration model users share their private data by specifying some obli- 
gations the receivers must follow. Modifications done by users on the shared 
data and the obligations that must be followed when data is shared are logged 
in a distributed manner. A mechanism of distributed log auditing is applied 
during collaboration and users that did not conform to the required obligations 
are detected and therefore their trust value is updated. Any distributed trust 
model can be applied to our proposed mechanism. Users can perform concur- 
rent modifications on the shared documents as well as they can share documents 
with different specified obligations according to their preferences. 

A direction of future work is the evaluation of the proposed mechanism. 
We will test first the efficiency and complexity of our algorithms in peer-to- 
peer simulators such as PeerSim |14) . We plan afterward to apply our trust 
management approach to existing research peer-to-peer online social networks 
such as PeerSoN [15] . 
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